David Evans cs.virginia/~evans

David Evanshttp://www.cs.virginia.edu/~evans

CS551: Security and PrivacyUniversity of VirginiaComputer Science

Lecture 2: Breaking Unbreakable Ciphers

Confronted with the prospect of defeat, the Allied cryptanalysts had worked night and day to penetrate

German ciphers. It would appear that fear was the main driving force, and that adversity is one of the foundations of

successful codebreaking.

Simon Singh, The Code Book

30 Aug 2000 University of Virginia CS 551 2

Menu• Survey Results• Vigenère – “Le Chiffre Indéchiffrable”• Shannon Principles: Perfect Ciphers


Survey Results

• Forged email: 15 out of 41• Broken into systems: 8 out of 41• PGP: 1 regular, 3 occasional• Movies/Books: Sneakers (14), Hackers (4),

Mission Impossible (2), Wargames (2), Cryptonomicon (2), Matrix, Takedown, Enemy of the State, Cuckoo’s Egg, Maximum Security, The Net


Vigenère

• Invented by Blaise de Vigenère, ~1550• Considered unbreakable for 300 years• Broken by Charles Babbage but kept

secret to help British in Crimean War• Attack discovered independently by

Friedrich Kasiski, 1863.


Vigenère EncryptionKey is a N-letter string.EK (P) = C where

Ci = (Pi + Ki mod N) mod Z (size of alphabet)

E“KEY” (“test”) = DIQDC0 = (‘t’ + ‘K’) mod 26 = ‘D’C1 = (‘e’ + ‘E’) mod 26 = ‘I’C2 = (‘s’ + ‘Y’) mod 26 = ‘Q’C3 = (‘t’ + ‘K’) mod 26 = ‘D’


Babbage’s Attack

• Use repetition to guess key length:Sequence XFO appears at 65, 71, 122, 176.Spacings = (71 – 65) = 6 = 3 * 2

(122 – 65) = 57 = 3 * 19 (176 – 122) = 54 = 3 * 18

Key is probably 3 letters long.


Key length - Frequency• Once you know key length, can slice

ciphertext and use frequencies:L0: DLQLCNSOLSQRNKGBSEVYNDOIOXAXYRSOSGYKY

VZXVOXCDNOOSOCOWDKOOYROEVSRBXENI

Frequencies: O: 12, S: 7, Guess O = e Ci = (Pi + Ki mod N) mod Z

‘O’ = (‘e’ + K0) mod 26

14 = 5 + 9 => K0 = ‘K’


Sometimes, not so lucky...L1: LMISQITVYJSSSJAHYECYSXOXGWYGJMRRXEGWRPEJXSI

SLIGHTVSXILWHXYXJPERISWTM

S: 9, X: 7; I: 6 guess S = ‘e’

‘S’ = (‘e’ + K1) mod 26

19 = 5 + 14 => K1 = ‘N’

‘X’ = (‘e’ + K1) mod 26

24 = 5 + 19 => K1 = ‘M’

‘I’ = (‘e’ + K1) mod 26

10 = 5 + 5 => K1 = ‘E’



Vigenère Simplification

• Use binary alphabet:Ci = (Pi + Ki mod N) mod 2

Ci = Pi Ki mod N

• Use a key as long as P:Ci = Pi Ki

• One-time pad – perfect cipher!


Ways to Convince• “I tried really hard to break my cipher, but couldn’t. I’m a

genius, so I’m sure no one else can break it either.”• “Lots of really smart people tried to break it, and couldn’t.”• Mathematical arguments – key size (dangerous!),

statistical properties of ciphertext, depends on some provably (or believed) hard problem

• Invulnerability to known cryptanalysis techniques (but what about undiscovered techniques?)

• Show that ciphertext could match multiple reasonable plaintexts without knowing key• Simple monoalphabetic secure for about 10 letters of

English: XBCF CF FWPHGWThis is secureSpat at troner


Real World Standard

• Attacker probably has details of algorithm

• Attacker has a limited amount of ciphertext, often has known plaintext, occasionally has chosen plaintext

• Breaking a cipher means the attacker can read a secret message


“Academic” Standard

• Assume attacker has full details of the algorithm

• Assume attacker has an unlimited number of chosen plaintext/ciphertext pairs

• Assume attacker can perform a very large number of computations, up to, but not including, 2n, where n is the key size in bits (i.e. assume that the attacker can’t mount a brute force attack, but can get close).


Shannon’s Theory [1945]

Message space: { M1, M2,..., Mn }

Assume finite number of messagesEach message has probability p(M1) + p(M2) + ... + p(Mn) = 1

Key space: { K1, K2,..., Kl }

(Based on Eli Biham’s notes)


Perfect Cipher: Definition

M1

M2

Mn

C1

C2

Cn

Ka

......

Kb

A perfect cipher: there is some key that maps any message to any ciphertext with equal probability.

For any i, j:p (Mi|Cj) = p (Mi)


Perfect Cipher

Definition: i, j: p (Mi|Cj) = p (Mi)

p(M) p(C | M) = p(C) p(M | C)

So, a cipher is perfect iff: M, C p(C) = p (C | M) = p(K) EK(M) = C

K

Sum over all keys such that EK(M) = C.


Perfect CipherSo, a cipher is perfect iff:

M, C p(C) = p(K) EK(M) = C

Or: C p(K) is independent of M EK(M) = C

Without knowing anything about the key, any ciphertext is equally likely to match and plaintext.

K

K


Example: Monoalphabetic

• Random monoalphabetic substitution for one letter message:

C,M: p(C) = p(C | M) = 1/26.


Example: One-Time PadFor each bit: p(Ci = 0) = p(Ci = 0 | Mi = 0) = p(Ci = 0 | Mi = 1) = ½since Ci = Ki Mi

p (Ki Mi = 0) = p (Ki = 1) * p (Mi = 1) + p (Ki = 0) * p (Mi = 0)

Truly random K means p (Ki = 1) = p (Ki = 0) = ½= ½ * p (Mi = 1) + ½ * p (Mi = 0)= ½ * (p (Mi = 1) + p (Mi = 0)) = ½

All key bits are independent, so:p(C) = p(C | M) QED.


Perfect Cipher Keyspace Theorem

Theorem: If a cipher is perfect, there must be at least as many keys (l) are there are possible messages (n).


Proof by ContradictionSuppose there is a perfect cipher with

l < n. (More messages than keys.)Let C0 be some ciphertext with p(C0) > 0.

There exist m messages M such that M = DK(C0 )

n - m messages M0 such that M0 DK(C0 )

We know 1 m l < n so n - m > 0 and there is at least one message M0.


Proof, cont.Consider the message M0 where

M0 DK(C0 ) for any K.

So,p (C0 | M0) = 0.

In a perfect cipher, p (C0 | M0) = p (C0) > 0.

Contradiction! It isn’t a perfect cipher.Hence, all perfect ciphers must have l n.


Example: MonoalphabeticRandom monoalphabetic substitution is not a perfect cipher for messages of up to 20 letters:

l = 26! n = 2620

l < n its not a perfect cipher.

In previous proof, could choose C0 = “AB” and M0

= “ee” and p (C0 | M0) = 0.


Example: MonoalphabeticIs random monoalphabetic substitution a perfect cipher for messages of up to 2 letters?

l = 26! n = 262

l n.

No! Showing l n does not prove its perfect.


Information Theory

• [Shannon 1948]• Entropy (H):

– Amount of information in a messageH(M) = log2 n where n is the number of possible meanings

H (month of year) = log2 12 3.6 (need 4 bits to encode a

year)


Rate• Absolute rate: how much information can

be encodedR = log2 Z (Z=size of alphabet)

REnglish =

• Actual rate of a language:r = H(M) / NM is an N-letter message.r of months spelled out using ASCII:

log2 26 4.7 bits / letter

= log2 12 / (8 letters * 8 bits/letter) 0.06


Rate of English• r(English) is about 1.3 bits/letter (.28

letters/letter).– How do we get this?

• How many meaningful 20-letter messages in English?r = H(M) / N1.3 = H(M)/20H(M) = 26 = log2 n

n = 226 = 6.7 million (of 2*1028 possible)One out of 7 * 1020 randomly selected 20-letter groups


Redundancy• Redundancy (D) is defined:

D = R – r• Redundancy in English:

D = 4.7 – 1.3 = 3.4 bits/letterEach letter is 1.3 bits of content, and

3.4 bits of redundancy. (~72%)• ASCII: 1 byte per letter

D = 8 – 1.3 = 6.784% redundancy, 14% information


Unicity Distance• Entropy of cryptosystem: (K = number of

possible keys)H(K) = log2 K

H(64-bit key) = 64• Unicity:

U = H(K)/DMinimum amount of ciphertext needed for brute-force attack to succeed.


Unicity Examples• One-Time Pad

H(K) = infiniteU = H(K)/D = infinite

• Monoalphabetic SubstitutionH(K) = log2 26! 87 D = 3.4 (redundancy in English)U = H(K)/D 25.5

Intuition: if you have 25 letters, probably only matches one possible plaintext.

D = 0 (random bit stream)U = H(K)/D = infinite


Unicity

• Theoretical and probabilistic measure of how much ciphertext is needed to determine a unique plaintext

• Does not indicate how much ciphertext is needed for cryptanalysis

• If you have less than unicity distance ciphertext, can’t tell if guess is right.

• As redundancy approaches 0, hard to cryptanalyze even simple cipher.


Charge

• Problem Set 1: due next Monday

• Next time: – Project team assignments

• If I don’t have your survey yet, make sure I get it today!

– DES – most widely used modern cipher

Documents

David Evans cs.virginia/~evans